Hacker News new | ask | show | jobs
by stavros 1639 days ago
This is very interesting, thanks! It reminds me of a friend's adventure, he found a contract containing some ETH that could be called with some more ETH and would send the entire sum back to the caller. He analyzed it a bunch of ways to make sure it wasn't a scam, and then sent some ETH to it.

It was a scam.

I wonder how it was done, Etherscan didn't show anything and compiling it led to a few bytes of difference between what was compiled and what was deployed.
2 comments
Aramgutang 1639 days ago
There are so many clever ways to code honeypots using obscure peculiarities of Solidity and/or Etherscan that there's little hope of being sure that it isn't a scam just by looking at the code and transaction history.

Fortunately, there are tools like Ganache, which you can run with `ganache-cli --fork` to reliably emulate locally what will happen when transactions are sent to mainnet. I would accept no substitute approach when dealing with suspect contracts.

link
stavros 1639 days ago
Oh huh, I didn't know Ganache could do that, thank you!
link
leppr 1639 days ago
Interesting, it might use a flaw in the Etherescan contract verification[1]. But in any case, when you expect a honeypot you can and should execute the contract off-chain[2] and examine the resulting state (specifically your account balances) before committing a real transaction. Wallets should really do this by default, but unfortunately there doesn't seem to be a lot of resources available for common goods projects like wallets, so we are stuck with primitive tools.

[1]: Like this Unicode RLO exploit for instance: https://krebsonsecurity.com/2021/11/trojan-source-bug-threat...

[2]: https://tenderly.co or mainnet forking using hardhat are convenient ways to achieve this.

link
stavros 1639 days ago
That's a great tip, thanks! I will relay it, as I don't know much about Ethereum. Can you download and redeploy the compiled contract?
link
pcthrowaway 1639 days ago
This might be the same bug reported and fixed in the Ethereum pinball article I shared
link
stavros 1639 days ago
Yeah, definitely sounds very similar, at least.
link
leppr 1639 days ago
Yes, you can always clone and redeploy any contract with its raw EVM code.
link
stavros 1639 days ago
Thank you for this tip, which is very concretely worth 1 ETH.
link